US6158021A - Method of checking the operability of a processor - Google Patents

Method of checking the operability of a processor Download PDF

Info

Publication number
US6158021A
US6158021A US09/137,317 US13731798A US6158021A US 6158021 A US6158021 A US 6158021A US 13731798 A US13731798 A US 13731798A US 6158021 A US6158021 A US 6158021A
Authority
US
United States
Prior art keywords
processor
instruction
result
value
computation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
US09/137,317
Inventor
Herbert Ziegler
Richard Merl
Horst Jouvenal
Dietmar Peters
Johann Schmid
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Assigned to SIEMENS AKTIENGESELLSCHAFT reassignment SIEMENS AKTIENGESELLSCHAFT ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JOUVENAL, HORST, MERL, RICHARD, PETERS, DIETMAR, SCHMID, JOHANN, ZIEGLER, HERBERT
Application granted granted Critical
Publication of US6158021A publication Critical patent/US6158021A/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T8/00Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
    • B60T8/32Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
    • B60T8/88Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
    • B60T8/885Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F02COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
    • F02DCONTROLLING COMBUSTION ENGINES
    • F02D41/00Electrical control of supply of combustible mixture or its constituents
    • F02D41/24Electrical control of supply of combustible mixture or its constituents characterised by the use of digital means
    • F02D41/26Electrical control of supply of combustible mixture or its constituents characterised by the use of digital means using computer, e.g. microprocessor
    • F02D41/266Electrical control of supply of combustible mixture or its constituents characterised by the use of digital means using computer, e.g. microprocessor the computer being backed-up or assisted by another circuit, e.g. analogue
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T2270/00Further aspects of brake control systems not otherwise provided for
    • B60T2270/40Failsafe aspects of brake control systems
    • B60T2270/406Test-mode; Self-diagnosis
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W2050/0001Details of the control system
    • B60W2050/0043Signal treatments, identification of variables or parameters, parameter estimation or state estimation
    • B60W2050/0044In digital systems
    • B60W2050/0045In digital systems using databus protocols
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0205Diagnosing or detecting failures; Failure detection models
    • B60W2050/021Means for detecting failure or malfunction

Definitions

  • the invention relates to a method of checking the operability of a computing processor by means of a second processor which provides to the first processor a computation rule and a start value.
  • the first processor uses the start value and the computation rule to calculate a result and transfers the result to the second processor, which compares the result with a comparison result.
  • Methods for monitoring the operability or functionality of a processor are used, in particular, in motor vehicle engineering where the processor controls a safety-related motor vehicle function.
  • the control system for the cruise control or the control system for the throttle valve position is safety-related.
  • the processor which controls the cruise control or the throttle valve position should thus be checked for proper operation.
  • German published non-prosecuted patent application DE 44 38 714 A1 discloses a method for controlling a drive unit in a vehicle.
  • a computation element is provided for carrying out control functions and monitoring functions for power control.
  • the computation element is split into three independent levels. The first level carries out the control of the power, the second level monitors that the control process is carried out, and the third level monitors the operation of the second level.
  • the second level monitors the control function for controlling the throttle valve by comparing values derived from pre-set values and setting values for the power.
  • a method of checking the operability of a first processor which comprises:
  • the computation rule being an instruction from an instruction set used by the first processor for processing a program or a computation rule
  • the computation rule is defined with at least one instruction from the instruction set with an arithmetic instruction, a logic instruction, a bit set instruction, a comparison instruction, a shift instruction, a transfer instruction, and a jump instruction.
  • the second processor provides cyclically different computation rules and different start values to the first processor.
  • the different computation rules have different instructions for a same type of instruction.
  • the method comprises the following steps which follow the above noted comparing step:
  • the instruction set is a machine instruction set of a microcontroller, and preferably an assembler instruction set.
  • the computation rule is defined as a sequence of instructions, and a result of a first instruction or a condition bit of the first instruction is taken into account in processing a second instruction.
  • the sequence of instructions is processed successively, the first instruction being processed with the start value, a result of the first instruction being used as the start value for the second instruction, and a result of the second instruction being passed to the second processor as a final result.
  • At least one condition bit of an instruction being processed is checked for a correct value while the first processor is being checked for its operability.
  • a major advantage of the invention is that basic functions which a processor uses for processing functions are checked.
  • FIG. 1 is a schematic layout of a motor vehicle with a controller
  • FIG. 2 is a flow chart showing a schematic program sequence
  • FIG. 3 is an instruction table
  • FIG. 4 is a result table
  • FIG. 5 is a flow chart of a program sequence
  • FIG. 8 is a flow chart of a third subroutine.
  • the gas pedal sensor 11 is connected via a sensor line 15 to a first processor 3, which is connected via a control line 6 to the throttle valve controller 2, via a first data line 4 to a first memory 5, via a first databus 16 to the internal combustion engine 1, and via a second databus 7 to a second processor 8.
  • the second processor 8 is connected via a second data line 9 to a second memory 10.
  • the power desired by the driver is indicated by appropriate operation of the gas pedal 14.
  • the position of the gas pedal 14 is measured by the gas pedal sensor 11 and is passed on to the first controller 3.
  • the first controller 3 then converts the driver's wish into a corresponding drive level for the throttle valve controller 2, which adjusts the throttle valve 17 in an appropriate manner.
  • the first processor 3 takes account of parameters relating to the internal combustion engine 1, which are fed to the first processor 3 via the first databus 16, and uses calculation and control functions which are stored in the first memory 5 to calculate from the driver's wish the drive signal by means of which the throttle valve controller 2 is driven. Parameters from the environment, such as the outside temperature or the humidity for example, are preferably taken into account.
  • FIG. 2 shows a schematic method by means of which correct operation of the first processor 3 is checked by the second processor 8.
  • program item 26 If the comparison in program item 25 indicates that the result and the comparison result do not match, then, in program item 26, an error counter is incremented by the value 1 by the second processor 8. Once program item 26 has been processed, the program branches to program item 31.
  • the second processor 8 passes the information to the first processor 3 that the result supplied matches the comparison result.
  • the second processor 8 checks the error counter and decrements the value of the error counter in program item 30, provided this value is greater than zero.
  • the second processor 8 supplies the first processor 3 with an error signal if the result calculated by the first processor 3 does not match the corresponding, stored comparison result. On receipt of an error signal, the first processor 3 increments the error counter by the value 1. If the result is correct, the second processor 8 supplies the first processor 3 with a response signal. The first processor 3 then decrements the error counter by the value 1 on receipt of a response signal. The second processor 8 checks the decrementing of the error counter and passes an alarm signal to the first processor 3 if the first processor 3 does not decrement the error counter when a response signal occurs. When an error signal occurs, the first processor 3 goes to an emergency operation, in which only limited power control is possible.
  • the second processor 8 chooses from the second memory 10 another start value and/or another computation rule which is then given to the first processor 3, in program item 21 and in program item 22. If the error counter is not equal to zero, then the second processor 8 preferably chooses the same computation rule for the next test program and, preferably, the same start value with which the incorrect result was calculated by the first processor 3. The same computation rule continues to be used until the error is overcome or the first processor 3 has switched to an emergency running function.
  • FIG. 3 shows a table in which, as in the example, the instruction set of the first processor 3 is quoted, by means of which the first processor 3 processes programs and/or calculations.
  • the instructions in the instruction set are in this case associated with four different computation rules, which are designated computation 0, computation 1, computation 2 and computation 3.
  • the instruction types in the instruction set comprise arithmetic instructions, logic instructions, bit set instructions, comparison instructions, shift instructions, transfer instructions and jump instructions.
  • Each computation rule preferably contains at least one arithmetic instruction, one logic instruction, one bit set instruction, one comparison instruction, one shift instruction, one transfer instruction and one jump instruction.
  • the computation table illustrated in FIG. 3 is stored in the first memory 5.
  • FIG. 4 shows a result table which shows the result of the computation rules for computation 0 to computation 3 as a function of the start value.
  • the result of FIG. 4 is obtained by the first processor 3 when the computation rule is processed correctly.
  • the designation result 0, result 1, result 2 and result 3 denote the result of computation 0, computation 1, computation 2 and computation 3.
  • FIG. 4 shows, for a start value 0, which corresponds to a hexadecimal value of 155C, the result 0 of the computation 0 with a hexadecimal value of B246.
  • the first processor 3 when processing computation 0 must obtain the result 0 with the hexadecimal value of ACCD if the first processor 3 is working correctly.
  • the computation rules shown in FIG. 3 represent preferred computation rules.
  • a computation rule comprises only at least one instruction from the instruction set for the processor to be tested.
  • the instructions shown as an example in FIG. 3 are assembler instructions.
  • the computation rules When the computation rules are being programmed in the processor 3, the computation rules should be programmed directly in the appropriate machine language since this is the only way in which the exact instruction set is defined. In the case of the example of the assembler instruction set, the computation rules 0 to 3 should be programmed in assembly language.
  • the computation 0 should be understood to mean that, with the start value predetermined by the second processor 8, the assembler instructions in the computation 0 column are carried out from top to bottom. For computation 0, this means that, starting from the value 0, the start value is added (ADD) and the hexadecimal value 155C is obtained as a result. The result is then multiplied by the start value (MUL). In this way, all assembler instructions in computation 0 are processed successively in such a manner that the result of the preceding assembler instruction is used once again for the next assembler instruction. In the event of a malfunction, each assembler instruction thus makes a contribution to the final result.
  • the last result that is to say the final result which is obtained after the jump instruction JNB, is supplied to the second processor 8 as the result, in program item 24.
  • assembler instructions have been quoted which are preferably checked for correct operation individually or, as illustrated in the computation rules in FIG. 3, a plurality of assembler instructions are checked for correct operation.
  • the essential advantage of the invention is that the instructions in the instruction set, preferably all the instructions in the instruction set, with which the first processor 3 processes or can process a program or a calculation, are checked for correct operation individually or as a group with a plurality of instructions in one test calculation.
  • instruction chains are checked which have at least one instruction from the various types of possible instructions, so that the various instruction types are checked by a single computation rule.
  • FIG. 5 shows in summary form the calculation of a computation rule which comprises the assembler instructions XORB, ADDC, JNB and XOR.
  • the assembler instructions are described, for example, in the Instruction Set Manual for the 16 bit CMOS single-chip microcontroller from Siemens.
  • program item 40 the computation rule is started similarly to the program item 23 in FIG. 2.
  • program item 41 the memory location at which the result of the computation rule is stored is loaded with an error value. This initial loading has the advantage that, in the event of termination of the computation rule, the result is loaded with an error result so that termination on the basis of the result is identified as an error.
  • the assembler instruction XORB is then carried out in program item 42.
  • the way in which this instruction is carried out is shown in more detail in FIG. 6.
  • condition bits are also provided as well as the result and provide further information about the processing of the computation rule.
  • condition bits are also provided as well as the result and provide further information about the processing of the computation rule.
  • the five condition bits are stored in a bit register and are referred to in the following text as the E Bit, Z Bit, V Bit, C Bit and N Bit.
  • the N Bit has the value 1 when the most significant bit in the result is set.
  • the N Bit is set to the value 0 when the most significant bit in the result is not set.
  • the C Bit has the value 1 when an overflow occurs at the most significant bit position.
  • the C Bit has the value 0 when no overflow occurs during the processing of the assembler instruction.
  • the V Bit has the value 1 when an arithmetic overflow occurs during the processing of the assembler instruction.
  • the V Bit has the value 0 when no arithmetic overflow occurs during the processing of the assembler instruction.
  • the Z Bit has the value 1 when the result of the assembler instruction has the value 0.
  • the Z Bit has the value 0 when the result of the assembler instruction does not have the value 0.
  • the E Bit has the value 1 when the second value (W2) represents the smallest negative number, otherwise the E Bit has the value 0.
  • the V Bit and the C Bit are always set to 0 for the assembler instruction XORB.
  • the processing of the assembler instruction XORB starts in program item 60, a start value from the table in FIG. 4 being used as the first value.
  • the start value is supplied by the second processor 8 to the first processor 3. If the start value is a 16-bit long data word, then only the HIGH byte of the start value, that is to say the eight most significant bits, is used for carrying out the assembler instruction XORB.
  • the value of a predetermined mask which filters eight bits out of the start value, is used as the second value (W2).
  • the mask that is used is composed of the eight least significant bits of the start value.
  • the result is stored, in program item 61, as an intermediate result in a temporary register. Then, in program item 62, the intermediate result stored in program item 61, plus the value of the bit register is stored as the new intermediate result, the condition bits, which are not influenced by the assembler instruction XORB, having been loaded with the value 0:
  • the assembler instruction ADDC is tested, which carries out an integer addition taking account of the carry bit, that is to say the C Bit:
  • the ADDC assembler instruction carries out a binary addition of the two's complement of the second value and of the first value, the C Bit which is produced in the last computation step also being added.
  • the result of the ADDC computation operation is stored as a new first value W1:
  • FIG. 7 The processing of the test calculation of the ADDC computation operation is explained in more detail in FIG. 7.
  • a branch is made from program item 43 to program item 70, in which the test calculation for the ADDC computation operation is started.
  • a check is carried out in program item 71 to determine whether the fifteenth bit in the start value which is taken from the table in FIG. 4 has the value 1. If this is the case, then the program branches to program item 72.
  • a working register AR is loaded with the result of the ADDC computation operation, the start value being used in each case as the first value and as the second value:
  • program item 75 the program then branches back to program item 44 in FIG. 5.
  • program item 73 If the question asked in program item 73 indicates that the C bit does not have the value 1 , then the program branches to program item 79, in which an error value is stored as the result and the test calculation is then ended in program item 80.
  • program item 76 If the question asked in program item 71 indicates that the fifteenth bit of the start value does not have the value 1, then the program branches to program item 76. After program item 76, the value of the computation operation ADDC is stored in the working register AR, the start value being used in each case as the first value and as the second value:
  • the C bit of the ADDC instruction is then checked in program item 77. If the C Bit has the value 0, then the program branches to program item 78. In program item 78, the sum of the value of the working register and the value of the previous intermediate result ZW(n-1) is stored as the new intermediate result ZW(n):
  • program item 81 the program then branches back to program item 44 in FIG. 5.
  • program item 77 If the question asked in program item 77 indicates that the C Bit does not have the value 0 , then the program branches to program item 79. In program item 79, an error value is stored as the result, and the test calculation is then ended in program item 80.
  • the test calculation for program item 44 comprises the assembler instructions JNB and XOR.
  • the assembler instruction JNB represents a conditional jump instruction which is carried out when a predetermined bit has the value 0.
  • an instruction pointer is used, which points at a current address at which the instruction to be carried out next is stored.
  • the instruction pointer is shifted by a predetermined number of addresses, as determined by the second value W2. However, if the predetermined bit has the value 1, then the instruction which is stored at the current address is carried out as the next instruction.
  • the XOR computation operation represents a logic, exclusive OR operation between a first value W1 and a second value W2: XOR (W1, W2).
  • the result of the XOR computation operation is stored as a new value W1:
  • program item 92 the fourth bit in the working register is then loaded with the value 0.
  • the JNB instruction is then carried out in program item 93, with the fourth bit of the working register AR being used as the first value W1.
  • the second value W2 is designed such that the instruction pointer jumps to a new address at which an error routine is stored as the instruction. If carrying out the JNB instruction now results in the fourth bit of the working register not being 0, then the program branches to program item 94 in accordance with the predetermined second value W2, in which program item 94 the error routine is started, in which the memory for the result is loaded with an error value, and the program is then ended in program item 97.
  • program item 95 the result of the XOR computation operation with the previous intermediate result ZW(n-1) as the first value W1 and the working register AR as the second value W2 is stored as the new intermediate result ZW(n):
  • program item 96 the program then branches back to program item 45.
  • the start values used in FIG. 5 are preferably always the same start value from the table in FIG. 4 which is associated with the corresponding computation rule.
  • a simple check of the first processor 3 when processing an instruction is to check for the correct value or the correct change of at least one condition bit in this instruction. If a condition bit is incorrect, it is possible to deduce that there is a malfunction in the first processor 3.
  • the condition bits in the first processor 3 are checked either by the first or the second processor 3, 8.

Abstract

The proper functionality of a first processor is checked with a second processor. The second processor thereby provides the first processor with a start value and a computation rule. The first processor carries out the specified computation rule using the predetermined start value, and returns a result to the second processor. The second processor checks the result against a stored comparison result. The computation rule is defined such that the basic instructions which are used for programming the first processor are checked.

Description

CROSS-REFERENCE TO RELATED APPLICATION
This is a continuation of copending International Application PCT/DE97/02830, filed Dec. 3, 1997, which designated the United States.
BACKGROUND OF THE INVENTION
Field of the Invention
The invention relates to a method of checking the operability of a computing processor by means of a second processor which provides to the first processor a computation rule and a start value. The first processor uses the start value and the computation rule to calculate a result and transfers the result to the second processor, which compares the result with a comparison result.
Methods for monitoring the operability or functionality of a processor are used, in particular, in motor vehicle engineering where the processor controls a safety-related motor vehicle function. For example, the control system for the cruise control or the control system for the throttle valve position is safety-related. The processor which controls the cruise control or the throttle valve position should thus be checked for proper operation.
German published non-prosecuted patent application DE 44 38 714 A1 discloses a method for controlling a drive unit in a vehicle. There, a computation element is provided for carrying out control functions and monitoring functions for power control. The computation element is split into three independent levels. The first level carries out the control of the power, the second level monitors that the control process is carried out, and the third level monitors the operation of the second level.
The second level monitors the control function for controlling the throttle valve by comparing values derived from pre-set values and setting values for the power.
SUMMARY OF THE INVENTION
It is accordingly an object of the invention to provide a method of checking the functionality of a processor, which overcomes the disadvantages of the prior art devices and methods of this general type and which allows for a reliable identification of faults and errors.
With the foregoing and other objects in view there is provided, in accordance with the invention, a method of checking the operability of a first processor, which comprises:
providing a computation rule and a start value to a first processor with a second processor, the computation rule being an instruction from an instruction set used by the first processor for processing a program or a computation rule;
calculating a result from the start value and the computation rule in the first processor and transferring the result to the second processor;
comparing the result with a comparison result in the second processor and deducing that the first processor is properly operable if the comparison step leads to an acceptable result.
In accordance with an added feature of the invention, the computation rule is defined with at least one instruction from the instruction set with an arithmetic instruction, a logic instruction, a bit set instruction, a comparison instruction, a shift instruction, a transfer instruction, and a jump instruction.
In accordance with another feature of the invention, the second processor provides cyclically different computation rules and different start values to the first processor.
In accordance with an additional feature of the invention, the different computation rules have different instructions for a same type of instruction.
In accordance with a further feature of the invention, the method comprises the following steps which follow the above noted comparing step:
if a result calculated by the first processor does not match the corresponding comparison result, supplying an error signal from the second processor to the first processor and incrementing an error counter with the first processor by a predetermined value on receipt of the error signal;
if a result is correct, supplying a response signal from the second processor to the first processor and decrementing the error counter with the first processor by the predetermined value on receipt of the response signal;
checking the decrementing of the error counter with the second processor, and passing an alarm signal from the second processor to the first processor if the first processor does not decrement the error counter when a response signal occurs.
In accordance with again another feature of the invention, the instruction set is a machine instruction set of a microcontroller, and preferably an assembler instruction set.
In accordance with again a further feature of the invention, the computation rule is defined as a sequence of instructions, and a result of a first instruction or a condition bit of the first instruction is taken into account in processing a second instruction.
In accordance with again an additional feature of the invention, the sequence of instructions is processed successively, the first instruction being processed with the start value, a result of the first instruction being used as the start value for the second instruction, and a result of the second instruction being passed to the second processor as a final result.
In accordance with a concomitant feature of the invention, at least one condition bit of an instruction being processed is checked for a correct value while the first processor is being checked for its operability.
A major advantage of the invention is that basic functions which a processor uses for processing functions are checked.
Other features which are considered as characteristic for the invention are set forth in the appended claims.
Although the invention is illustrated and described herein as embodied in a method of checking the operability of a processor, it is nevertheless not intended to be limited to the details shown, since various modifications and structural changes may be made therein without departing from the spirit of the invention and within the scope and range of equivalents of the claims.
The construction and method of operation of the invention, however, together with additional objects and advantages thereof will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a schematic layout of a motor vehicle with a controller;
FIG. 2 is a flow chart showing a schematic program sequence;
FIG. 3 is an instruction table;
FIG. 4 is a result table;
FIG. 5 is a flow chart of a program sequence;
FIG. 6 is a flow chart of a first subroutine;
FIG. 7 is a flow chart of a second subroutine; and
FIG. 8 is a flow chart of a third subroutine.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
Referring now to the figures of the drawing in detail and first, particularly, to FIG. 1 thereof, there is seen a controller for an internal combustion engine (ICE) 1 having an injection system which has an intake manifold 12 in which a throttle valve 17 is disposed. The throttle valve 17 is controlled by an associated throttle valve controller 2. The internal combustion engine 1 furthermore has an exhaust manifold 13 where exhaust gases are ejected. Furthermore, a gas pedal 14 is provided, whose position is determined by a gas pedal sensor 11.
The gas pedal sensor 11 is connected via a sensor line 15 to a first processor 3, which is connected via a control line 6 to the throttle valve controller 2, via a first data line 4 to a first memory 5, via a first databus 16 to the internal combustion engine 1, and via a second databus 7 to a second processor 8. The second processor 8 is connected via a second data line 9 to a second memory 10.
The method according to the invention will be described in the following text using the example of power control of an internal combustion engine 1, in which the power of the internal combustion engine is adjusted via the position of the throttle valve 17.
The power desired by the driver is indicated by appropriate operation of the gas pedal 14. The position of the gas pedal 14 is measured by the gas pedal sensor 11 and is passed on to the first controller 3. The first controller 3 then converts the driver's wish into a corresponding drive level for the throttle valve controller 2, which adjusts the throttle valve 17 in an appropriate manner.
The first processor 3 takes account of parameters relating to the internal combustion engine 1, which are fed to the first processor 3 via the first databus 16, and uses calculation and control functions which are stored in the first memory 5 to calculate from the driver's wish the drive signal by means of which the throttle valve controller 2 is driven. Parameters from the environment, such as the outside temperature or the humidity for example, are preferably taken into account.
The correct operation of the first processor 3 is checked by the second processor 8 by means of a data interchange via the second databus 7, the second processor 8 accessing data which are stored in the second memory 10.
FIG. 2 shows a schematic method by means of which correct operation of the first processor 3 is checked by the second processor 8.
After the power supply is switched on, an initialization is carried out in program item 20. During the initialization, predetermined initial parameters are read from the first and second memories 5, 10.
Subsequently, in program item 21, the second processor 8 supplies a start value to the first processor 3. In program item 22, the second processor 8 then gives the first processor 3 a computation rule.
After receiving the start value and the computation rule, the first processor 3 processes the predetermined computation rule using the predetermined start value, in program item 23. In program item 24, the first processor 3 passes to the second processor 8 the result calculated from the predetermined computation rule and the predetermined start value.
The second processor 8 compares the result supplied from the first processor 3 with a comparison result, which is stored in the second memory 10 as a function of the predetermined start value and the predetermined computation rule. If the comparison in program item 25 indicates that the result and the comparison result match, then the program branches off to program item 29.
However, if the comparison in program item 25 indicates that the result and the comparison result do not match, then, in program item 26, an error counter is incremented by the value 1 by the second processor 8. Once program item 26 has been processed, the program branches to program item 31.
In program item 29, the second processor 8 passes the information to the first processor 3 that the result supplied matches the comparison result. The second processor 8 then checks the error counter and decrements the value of the error counter in program item 30, provided this value is greater than zero.
In program item 31, the value of the error counter (ERROR) is then compared by the second processor 3 with a maximum value (ERR-- MAX). If the comparison indicates that the error counter is above the predetermined maximum value (ERR-- MAX), then, in the subsequent program item 27, the first processor 3 is switched by the second processor 8 to an emergency running function, in which the internal combustion engine 1 can now be controlled only within predetermined, limited power ranges so that any hazard is limited as far as possible, although it is still possible to reach the nearest garage.
A development of the invention is achieved by the following function: the second processor 8 supplies the first processor 3 with an error signal if the result calculated by the first processor 3 does not match the corresponding, stored comparison result. On receipt of an error signal, the first processor 3 increments the error counter by the value 1. If the result is correct, the second processor 8 supplies the first processor 3 with a response signal. The first processor 3 then decrements the error counter by the value 1 on receipt of a response signal. The second processor 8 checks the decrementing of the error counter and passes an alarm signal to the first processor 3 if the first processor 3 does not decrement the error counter when a response signal occurs. When an error signal occurs, the first processor 3 goes to an emergency operation, in which only limited power control is possible.
However, if the question asked in program item 31 indicates that the error counter is less than the predetermined maximum value, then the program branches to program item 32.
In program item 32, the second processor 8 chooses from the second memory 10 another start value and/or another computation rule which is then given to the first processor 3, in program item 21 and in program item 22. If the error counter is not equal to zero, then the second processor 8 preferably chooses the same computation rule for the next test program and, preferably, the same start value with which the incorrect result was calculated by the first processor 3. The same computation rule continues to be used until the error is overcome or the first processor 3 has switched to an emergency running function.
FIG. 3 shows a table in which, as in the example, the instruction set of the first processor 3 is quoted, by means of which the first processor 3 processes programs and/or calculations. The instructions in the instruction set are in this case associated with four different computation rules, which are designated computation 0, computation 1, computation 2 and computation 3. The instruction types in the instruction set comprise arithmetic instructions, logic instructions, bit set instructions, comparison instructions, shift instructions, transfer instructions and jump instructions.
Each computation rule preferably contains at least one arithmetic instruction, one logic instruction, one bit set instruction, one comparison instruction, one shift instruction, one transfer instruction and one jump instruction. The computation table illustrated in FIG. 3 is stored in the first memory 5.
FIG. 4 shows a result table which shows the result of the computation rules for computation 0 to computation 3 as a function of the start value. The result of FIG. 4 is obtained by the first processor 3 when the computation rule is processed correctly. In this case, the designation result 0, result 1, result 2 and result 3 denote the result of computation 0, computation 1, computation 2 and computation 3.
FIG. 4 shows, for a start value 0, which corresponds to a hexadecimal value of 155C, the result 0 of the computation 0 with a hexadecimal value of B246.
If the computation 1 is carried out by the first processor 3 using the start value 155C, then, if the processor 3 is operating correctly, the result 1 with the hexadecimal value 09BE must be obtained.
In the case of a start value with the hexadecimal value DFDB, the first processor 3 when processing computation 0 must obtain the result 0 with the hexadecimal value of ACCD if the first processor 3 is working correctly.
The computation rules shown in FIG. 3 represent preferred computation rules. In simple cases, a computation rule comprises only at least one instruction from the instruction set for the processor to be tested.
The instructions shown as an example in FIG. 3 are assembler instructions. When the computation rules are being programmed in the processor 3, the computation rules should be programmed directly in the appropriate machine language since this is the only way in which the exact instruction set is defined. In the case of the example of the assembler instruction set, the computation rules 0 to 3 should be programmed in assembly language.
The computation 0 should be understood to mean that, with the start value predetermined by the second processor 8, the assembler instructions in the computation 0 column are carried out from top to bottom. For computation 0, this means that, starting from the value 0, the start value is added (ADD) and the hexadecimal value 155C is obtained as a result. The result is then multiplied by the start value (MUL). In this way, all assembler instructions in computation 0 are processed successively in such a manner that the result of the preceding assembler instruction is used once again for the next assembler instruction. In the event of a malfunction, each assembler instruction thus makes a contribution to the final result.
If all the instructions in computation rule 0 have been processed, then the last result, that is to say the final result which is obtained after the jump instruction JNB, is supplied to the second processor 8 as the result, in program item 24.
In this exemplary embodiment, assembler instructions have been quoted which are preferably checked for correct operation individually or, as illustrated in the computation rules in FIG. 3, a plurality of assembler instructions are checked for correct operation.
If other machine instructions, that is to say the instruction set for processor 3, are used for programming, then they are checked with the aid of an appropriate computation rule, in order to check the correct operation of the first processor 3.
A machine instruction is used to denote instructions which represent the smallest predetermined instructions, in a programming language which is used to create the program, such as the individual assembler codes, for example, when using the assembler language.
The essential advantage of the invention is that the instructions in the instruction set, preferably all the instructions in the instruction set, with which the first processor 3 processes or can process a program or a calculation, are checked for correct operation individually or as a group with a plurality of instructions in one test calculation.
Preferably, instruction chains are checked which have at least one instruction from the various types of possible instructions, so that the various instruction types are checked by a single computation rule.
In the following text, an example which comprises only a few instructions in an instruction set, in this case in the assembler code for the processor 3 are used to illustrate the principle of function monitoring. As many of the instructions as possible (preferably all the instructions) are checked using test calculations in order to monitor the operability of the processor 3.
FIG. 5 shows in summary form the calculation of a computation rule which comprises the assembler instructions XORB, ADDC, JNB and XOR. The assembler instructions are described, for example, in the Instruction Set Manual for the 16 bit CMOS single-chip microcontroller from Siemens.
In program item 40, the computation rule is started similarly to the program item 23 in FIG. 2. First of all, in program item 41, the memory location at which the result of the computation rule is stored is loaded with an error value. This initial loading has the advantage that, in the event of termination of the computation rule, the result is loaded with an error result so that termination on the basis of the result is identified as an error.
The assembler instruction XORB is then carried out in program item 42. The way in which this instruction is carried out is shown in more detail in FIG. 6. The assembler instruction XORB represents a logic exclusive OR operation in which a logic, exclusive OR operation between a first value and a second a value is carried out bit-by-bit, and the result is stored as a new first value: W1=XORB (W1, W2), where W1 is the first value and W2 is the second value.
During the processing of computation rules, like the assembler instructions, condition bits are also provided as well as the result and provide further information about the processing of the computation rule. In the example of the 16-bit CMOS single-chip microcontroller, five condition bits are provided which are loaded with different values depending on the result of the assembler instruction carried out. The five condition bits are stored in a bit register and are referred to in the following text as the E Bit, Z Bit, V Bit, C Bit and N Bit. The N Bit has the value 1 when the most significant bit in the result is set. The N Bit is set to the value 0 when the most significant bit in the result is not set.
The C Bit has the value 1 when an overflow occurs at the most significant bit position. The C Bit has the value 0 when no overflow occurs during the processing of the assembler instruction. The V Bit has the value 1 when an arithmetic overflow occurs during the processing of the assembler instruction. The V Bit has the value 0 when no arithmetic overflow occurs during the processing of the assembler instruction. The Z Bit has the value 1 when the result of the assembler instruction has the value 0. The Z Bit has the value 0 when the result of the assembler instruction does not have the value 0. The E Bit has the value 1 when the second value (W2) represents the smallest negative number, otherwise the E Bit has the value 0. The V Bit and the C Bit are always set to 0 for the assembler instruction XORB.
The processing of the assembler instruction XORB starts in program item 60, a start value from the table in FIG. 4 being used as the first value. The start value is supplied by the second processor 8 to the first processor 3. If the start value is a 16-bit long data word, then only the HIGH byte of the start value, that is to say the eight most significant bits, is used for carrying out the assembler instruction XORB.
The value of a predetermined mask, which filters eight bits out of the start value, is used as the second value (W2). In the exemplary embodiment, the mask that is used is composed of the eight least significant bits of the start value.
After carrying out the computation operation XORB, the result is stored, in program item 61, as an intermediate result in a temporary register. Then, in program item 62, the intermediate result stored in program item 61, plus the value of the bit register is stored as the new intermediate result, the condition bits, which are not influenced by the assembler instruction XORB, having been loaded with the value 0:
ZW=ZW+(bit register)
The program then makes a jump, in program item 63, back to program item 43 in FIG. 5.
In program item 43, the assembler instruction ADDC is tested, which carries out an integer addition taking account of the carry bit, that is to say the C Bit:
ADDC(W1, W2)=W1+W2+C Bit.
The ADDC assembler instruction carries out a binary addition of the two's complement of the second value and of the first value, the C Bit which is produced in the last computation step also being added. The result of the ADDC computation operation is stored as a new first value W1:
W1=ADDC (W1, W2).
The processing of the test calculation of the ADDC computation operation is explained in more detail in FIG. 7. A branch is made from program item 43 to program item 70, in which the test calculation for the ADDC computation operation is started. A check is carried out in program item 71 to determine whether the fifteenth bit in the start value which is taken from the table in FIG. 4 has the value 1. If this is the case, then the program branches to program item 72. In program item 72, a working register AR is loaded with the result of the ADDC computation operation, the start value being used in each case as the first value and as the second value:
AR=ADDC (W1, W1)=ADDC (start value, start value).
A check is then carried out in program item 73 to determine whether the C Bit for the ADDC instruction carried out has the value 1. If this is the case, the sum of the working register AR and the previous intermediate result ZW(n-1) is then stored, in program item 74, as the new intermediate result ZW(n):
ZW(n)=AR+ZW(n-1).
In program item 75, the program then branches back to program item 44 in FIG. 5.
If the question asked in program item 73 indicates that the C bit does not have the value 1 , then the program branches to program item 79, in which an error value is stored as the result and the test calculation is then ended in program item 80.
If the question asked in program item 71 indicates that the fifteenth bit of the start value does not have the value 1, then the program branches to program item 76. After program item 76, the value of the computation operation ADDC is stored in the working register AR, the start value being used in each case as the first value and as the second value:
AR=ADDC (start value, start value).
The C bit of the ADDC instruction is then checked in program item 77. If the C Bit has the value 0, then the program branches to program item 78. In program item 78, the sum of the value of the working register and the value of the previous intermediate result ZW(n-1) is stored as the new intermediate result ZW(n):
ZW(n)=AR+ZW(n-1).
In program item 81, the program then branches back to program item 44 in FIG. 5.
If the question asked in program item 77 indicates that the C Bit does not have the value 0 , then the program branches to program item 79. In program item 79, an error value is stored as the result, and the test calculation is then ended in program item 80.
The test calculation for program item 44 comprises the assembler instructions JNB and XOR. The assembler instruction JNB represents a conditional jump instruction which is carried out when a predetermined bit has the value 0. In order to determine which instruction is intended to be carried out next, an instruction pointer is used, which points at a current address at which the instruction to be carried out next is stored.
If the jump instruction JNB is carried out, then the instruction pointer is shifted by a predetermined number of addresses, as determined by the second value W2. However, if the predetermined bit has the value 1, then the instruction which is stored at the current address is carried out as the next instruction.
The XOR computation operation represents a logic, exclusive OR operation between a first value W1 and a second value W2: XOR (W1, W2). The result of the XOR computation operation is stored as a new value W1:
W1=XOR (W1, W2).
The program branches from program item 44 to program item 90, in which the test calculation for the JNB and XOR instruction is started. In program item 91, the temporary working register AR is loaded with the predetermined start value from the table in FIG. 4: AR=start value.
In program item 92, the fourth bit in the working register is then loaded with the value 0. The JNB instruction is then carried out in program item 93, with the fourth bit of the working register AR being used as the first value W1. The second value W2 is designed such that the instruction pointer jumps to a new address at which an error routine is stored as the instruction. If carrying out the JNB instruction now results in the fourth bit of the working register not being 0, then the program branches to program item 94 in accordance with the predetermined second value W2, in which program item 94 the error routine is started, in which the memory for the result is loaded with an error value, and the program is then ended in program item 97.
However, if the question asked in program item 93 indicates that the fourth bit has the value 0 , then the program branches to program item 95. In program item 95, the result of the XOR computation operation with the previous intermediate result ZW(n-1) as the first value W1 and the working register AR as the second value W2 is stored as the new intermediate result ZW(n):
ZW(n)=XOR (ZW(n-1),AR).
In program item 96, the program then branches back to program item 45.
In program item 45, the first processor 3 passes, similarly to the program item 24 in FIG. 2, the result to the second processor 8, which compares the result with a comparison result and identifies a malfunction in the first processor 3 if the result does not match the comparison result, preferably with a predetermined relationship. The program is then ended.
The start values used in FIG. 5 are preferably always the same start value from the table in FIG. 4 which is associated with the corresponding computation rule.
The check of a plurality of instructions in an instruction chain, in which the result of an instruction is used once again for the following instruction, offers the advantage that each instruction contributes to the final result and thus relatively small inaccuracies in individual instructions are also reinforced in this way and hence lead to a noticeable error in the sum in the final result, which error makes it possible to deduce a malfunction in the processor.
A simple check of the first processor 3 when processing an instruction is to check for the correct value or the correct change of at least one condition bit in this instruction. If a condition bit is incorrect, it is possible to deduce that there is a malfunction in the first processor 3. The condition bits in the first processor 3 are checked either by the first or the second processor 3, 8.

Claims (11)

We claim:
1. A method of checking the operability of a first processor, which comprises:
providing a computation rule and a start value to a first processor with a second processor, the computation rule being an instruction from an instruction set used by the first processor for processing a program or a computation rule;
calculating a result from the start value and the computation rule in the first processor and transferring the result to the second processor;
comparing the result with a comparison result in the second processor and deducing that the first processor is properly operable if the comparison step leads to an acceptable result.
2. The method according to claim 1, which comprises defining the computation rule with at least one instruction selected from the instruction set with the group of instructions consisting of an arithmetic instruction, a logic instruction, a bit set instruction, a comparison instruction, a shift instruction, a transfer instruction, and a jump instruction.
3. The method according to claim 1, which comprises providing, with the second processor, cyclically different computation rules and different start values to the first processor.
4. The method according to claim 3, wherein the different computation rules have different instructions for a same type of instruction.
5. The method according to claim 1, which comprises, subsequently to the comparing step:
if a result calculated by the first processor does not match the corresponding comparison result, supplying an error signal from the second processor to the first processor and incrementing an error counter with the first processor by a predetermined value on receipt of the error signal;
if a result is correct, supplying a response signal from the second processor to the first processor and decrementing the error counter with the first processor by the predetermined value on receipt of the response signal;
checking the decrementing of the error counter with the second processor, and passing an alarm signal from the second processor to the first processor if the first processor does not decrement the error counter when a response signal occurs.
6. The method according to claim 1, wherein the instruction set is a machine instruction set of a microcontroller.
7. The method according to claim 6, wherein the instruction set is an assembler instruction set.
8. The method according to claim 1, which comprises defining the computation rule as a sequence of instructions, and taking into account a result of a first instruction or a condition bit of the first instruction in processing a second instruction.
9. The method according to claim 8, which comprises processing the sequence of instructions successively, processing the first instruction with the start value, using a result of the first instruction as the start value for the second instruction, and passing a result of the second instruction to the second processor as a final result.
10. The method according to claim 1, which further comprises checking at least one condition bit of an instruction being processed for a correct value, while the first processor is being checked for its operability.
11. A method of checking the operability of a first processor, which comprises:
providing one of a plurality of computation rule and one of a plurality of start values to a first processor with a second processor, the computation rules being an instruction from an instruction set used by the first processor for processing a program or a computation rule;
calculating a result from the start value and the computation rule in the first processor and transferring the result to the second processor;
comparing the result with a comparison result in the second processor and increasing an error counter if the comparison step does not lead to an acceptable result;
providing to the first processor the same computation rule and start value with which the first processor calculated the result if the comparison step does not lead to an acceptable result.
US09/137,317 1996-12-20 1998-08-20 Method of checking the operability of a processor Expired - Fee Related US6158021A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE19653429 1996-12-20
DE19653429A DE19653429C2 (en) 1996-12-20 1996-12-20 Method for checking the functionality of a computing unit
PCT/DE1997/002830 WO1998028692A1 (en) 1996-12-20 1997-12-03 Method of checking the operability of a computing unit

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/DE1997/002830 Continuation WO1998028692A1 (en) 1996-12-20 1997-12-03 Method of checking the operability of a computing unit

Publications (1)

Publication Number Publication Date
US6158021A true US6158021A (en) 2000-12-05

Family

ID=7815632

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/137,317 Expired - Fee Related US6158021A (en) 1996-12-20 1998-08-20 Method of checking the operability of a processor

Country Status (6)

Country Link
US (1) US6158021A (en)
EP (1) EP0898745B1 (en)
JP (1) JP2000507020A (en)
KR (1) KR100498150B1 (en)
DE (2) DE19653429C2 (en)
WO (1) WO1998028692A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010042229A1 (en) * 2000-05-11 2001-11-15 James Ian John Patrick Fault monitoring system
US6366839B1 (en) * 1998-07-13 2002-04-02 Nissan Motor Co., Ltd. Monitoring fault in control device CPU containing exercise calculating section executing on proposed data to produce monitor converted result
US20020065624A1 (en) * 2000-08-24 2002-05-30 Ralf Arnold Method for testing a program-controlled unit by an external test device
US20030130831A1 (en) * 2002-01-10 2003-07-10 International Business Machines Non-unique results in design verification by test programs
US20050080492A1 (en) * 2003-10-10 2005-04-14 Hitachi, Ltd. Fail-safe controller
US7287195B1 (en) 2000-06-13 2007-10-23 Saab Ab Method and system for maintenance of a vehicle
US20070299576A1 (en) * 2006-06-24 2007-12-27 Dr. Ing. H.C. F. Porsche Aktiengesellschaft Method for operating control devices of a motor vehicle which communicate via a databus
US20090217110A1 (en) * 2008-02-25 2009-08-27 International Business Machines Corporation Method, system and computer program product involving error thresholds
US9940199B2 (en) 2014-07-21 2018-04-10 International Business Machines Corporation Checking arithmetic computations

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19917208A1 (en) * 1999-04-16 2000-10-19 Bosch Gmbh Robert Testing of a vehicle computer by supplying test data to one or more program modules so that the results can be checked against expected results and an error condition indicated if necessary
DE19944939C1 (en) * 1999-09-20 2001-08-30 Mannesmann Vdo Ag Control device for a motor vehicle
DE10113917B4 (en) 2001-03-21 2019-05-23 Robert Bosch Gmbh Method and device for monitoring control units
DE10152273B4 (en) * 2001-10-20 2007-03-08 Robert Bosch Gmbh Method and device for monitoring a redundant shutdown path
JP3818218B2 (en) * 2002-05-22 2006-09-06 トヨタ自動車株式会社 Electronic control device for vehicle
DE102008020812A1 (en) * 2008-04-25 2009-10-29 Siemens Aktiengesellschaft Device for detecting an error present in a processor
DE102009026741A1 (en) * 2009-06-04 2011-02-03 Robert Bosch Gmbh An electronic control system and method for checking the correct operation of a computing unit in an electronic control system

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0082722A2 (en) * 1981-12-21 1983-06-29 General Electric Company Computer system with auxiliary service computer
US4456952A (en) * 1977-03-17 1984-06-26 Honeywell Information Systems Inc. Data processing system having redundant control processors for fault detection
US4460999A (en) * 1981-07-15 1984-07-17 Pacific Western Systems, Inc. Memory tester having memory repair analysis under pattern generator control
EP0154551A2 (en) * 1984-03-06 1985-09-11 Codex Corporation Apparatus for enabling a first processor to cause a second processor to effect a transfer of data between said processors
US4758948A (en) * 1983-11-04 1988-07-19 Inmos Limited Microcomputer
US5043984A (en) * 1987-04-14 1991-08-27 Japan Electronic Control Systems Co., Ltd. Method and system for inspecting microprocessor-based unit and/or component thereof
US5136595A (en) * 1988-05-25 1992-08-04 Nec Corporation Microprocessor operable in a functional redundancy monitor mode
DE4114999A1 (en) * 1991-05-08 1992-11-12 Bosch Gmbh Robert SYSTEM FOR CONTROLLING A MOTOR VEHICLE
US5406504A (en) * 1993-06-30 1995-04-11 Digital Equipment Multiprocessor cache examiner and coherency checker
US5410685A (en) * 1990-06-12 1995-04-25 Regents Of The University Of Michigan Non-intrinsive method and system for recovering the state of a computer system and non-intrusive debugging method and system utilizing same
US5557558A (en) * 1992-02-19 1996-09-17 Nec Corporation Microprocessor with self-diagnostic test function
US5581739A (en) * 1991-10-10 1996-12-03 Smiths Industries Public Limited Company Two lane computing systems
US5623497A (en) * 1994-02-09 1997-04-22 Advantest Corporation Bit error rate measurement apparatus
US5657330A (en) * 1994-11-15 1997-08-12 Mitsubishi Denki Kabushiki Kaisha Single-chip microprocessor with built-in self-testing function
US5732209A (en) * 1995-11-29 1998-03-24 Exponential Technology, Inc. Self-testing multi-processor die with internal compare points
US5805797A (en) * 1994-12-28 1998-09-08 Hitachi, Ltd. Controller having a fail safe function, automatic train controller and system using the same
US5948111A (en) * 1991-05-31 1999-09-07 Tandem Computers Incorporated Real time comparison of integrated circuit operation

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6191732A (en) * 1984-10-11 1986-05-09 Nec Corp Trouble processing system of data processing system
DE4438714A1 (en) * 1994-10-29 1996-05-02 Bosch Gmbh Robert Method and device for controlling the drive unit of a vehicle

Patent Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4456952A (en) * 1977-03-17 1984-06-26 Honeywell Information Systems Inc. Data processing system having redundant control processors for fault detection
US4460999A (en) * 1981-07-15 1984-07-17 Pacific Western Systems, Inc. Memory tester having memory repair analysis under pattern generator control
EP0082722A2 (en) * 1981-12-21 1983-06-29 General Electric Company Computer system with auxiliary service computer
US4758948A (en) * 1983-11-04 1988-07-19 Inmos Limited Microcomputer
EP0154551A2 (en) * 1984-03-06 1985-09-11 Codex Corporation Apparatus for enabling a first processor to cause a second processor to effect a transfer of data between said processors
US5043984A (en) * 1987-04-14 1991-08-27 Japan Electronic Control Systems Co., Ltd. Method and system for inspecting microprocessor-based unit and/or component thereof
US5136595A (en) * 1988-05-25 1992-08-04 Nec Corporation Microprocessor operable in a functional redundancy monitor mode
US5410685A (en) * 1990-06-12 1995-04-25 Regents Of The University Of Michigan Non-intrinsive method and system for recovering the state of a computer system and non-intrusive debugging method and system utilizing same
DE4114999A1 (en) * 1991-05-08 1992-11-12 Bosch Gmbh Robert SYSTEM FOR CONTROLLING A MOTOR VEHICLE
US5948111A (en) * 1991-05-31 1999-09-07 Tandem Computers Incorporated Real time comparison of integrated circuit operation
US5581739A (en) * 1991-10-10 1996-12-03 Smiths Industries Public Limited Company Two lane computing systems
US5557558A (en) * 1992-02-19 1996-09-17 Nec Corporation Microprocessor with self-diagnostic test function
US5406504A (en) * 1993-06-30 1995-04-11 Digital Equipment Multiprocessor cache examiner and coherency checker
US5623497A (en) * 1994-02-09 1997-04-22 Advantest Corporation Bit error rate measurement apparatus
US5657330A (en) * 1994-11-15 1997-08-12 Mitsubishi Denki Kabushiki Kaisha Single-chip microprocessor with built-in self-testing function
US5805797A (en) * 1994-12-28 1998-09-08 Hitachi, Ltd. Controller having a fail safe function, automatic train controller and system using the same
US5732209A (en) * 1995-11-29 1998-03-24 Exponential Technology, Inc. Self-testing multi-processor die with internal compare points

Non-Patent Citations (10)

* Cited by examiner, † Cited by third party
Title
"A New HAD Algorithm for Optimal Routing of Hierarchically Structured Data Networks", Garng Huang et al., IEEE, 1995, pp. 594-601.
"Establishing Virtual Circuits in Large Computer Networks", Alan Baratz et al., Elsevier Science Publishers B.V. (North-Holland), pp. 27-37.
"Mikroprozessor Selbsttest" (Microprocessor selt test), B. Ebel, Elektronische Rechenanlagen, 1978, vol. 20, No. 4, pp. 186-194.
"Topological Analysis of Packet Networks", Vikram Sasenka, IEEE Journal on Selected Areas in Communications, vol. 7, No. 8, Oct. 8, 1989.
"Topology Aggregation for Hierarchical Routing in ATM Networks", Whay Lee, Computer Communication Review, pp. 82-91.
A New HAD Algorithm for Optimal Routing of Hierarchically Structured Data Networks , Garng Huang et al., IEEE, 1995, pp. 594 601. *
Establishing Virtual Circuits in Large Computer Networks , Alan Baratz et al., Elsevier Science Publishers B.V. (North Holland), pp. 27 37. *
Mikroprozessor Selbsttest (Microprocessor selt test), B. Ebel, Elektronische Rechenanlagen, 1978, vol. 20, No. 4, pp. 186 194. *
Topological Analysis of Packet Networks , Vikram Sasenka, IEEE Journal on Selected Areas in Communications, vol. 7, No. 8, Oct. 8, 1989. *
Topology Aggregation for Hierarchical Routing in ATM Networks , Whay Lee, Computer Communication Review, pp. 82 91. *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6366839B1 (en) * 1998-07-13 2002-04-02 Nissan Motor Co., Ltd. Monitoring fault in control device CPU containing exercise calculating section executing on proposed data to produce monitor converted result
US20010042229A1 (en) * 2000-05-11 2001-11-15 James Ian John Patrick Fault monitoring system
US6845468B2 (en) * 2000-05-11 2005-01-18 Lucas Industries Limited Aircraft fault monitoring system and method
US7287195B1 (en) 2000-06-13 2007-10-23 Saab Ab Method and system for maintenance of a vehicle
US6885963B2 (en) * 2000-08-24 2005-04-26 Infineon Technologies Ag Method for testing a program-controlled unit by an external test device
US20020065624A1 (en) * 2000-08-24 2002-05-30 Ralf Arnold Method for testing a program-controlled unit by an external test device
US20030130831A1 (en) * 2002-01-10 2003-07-10 International Business Machines Non-unique results in design verification by test programs
US8055492B2 (en) * 2002-01-10 2011-11-08 International Business Machines Corporation Non-unique results in design verification by test programs
US7191359B2 (en) * 2003-10-10 2007-03-13 Hitachi, Ltd. Fail-safe controller
US20050080492A1 (en) * 2003-10-10 2005-04-14 Hitachi, Ltd. Fail-safe controller
US20070299576A1 (en) * 2006-06-24 2007-12-27 Dr. Ing. H.C. F. Porsche Aktiengesellschaft Method for operating control devices of a motor vehicle which communicate via a databus
US20090217110A1 (en) * 2008-02-25 2009-08-27 International Business Machines Corporation Method, system and computer program product involving error thresholds
US7984341B2 (en) * 2008-02-25 2011-07-19 International Business Machines Corporation Method, system and computer program product involving error thresholds
US9940199B2 (en) 2014-07-21 2018-04-10 International Business Machines Corporation Checking arithmetic computations

Also Published As

Publication number Publication date
JP2000507020A (en) 2000-06-06
KR19990087086A (en) 1999-12-15
DE19653429C2 (en) 1998-10-15
WO1998028692A1 (en) 1998-07-02
EP0898745A1 (en) 1999-03-03
EP0898745B1 (en) 2000-02-23
KR100498150B1 (en) 2005-09-09
DE19653429A1 (en) 1998-07-16
DE59701150D1 (en) 2000-03-30

Similar Documents

Publication Publication Date Title
US6158021A (en) Method of checking the operability of a processor
EP0636955B1 (en) Control unit for vehicle and total control system therefor
US5394327A (en) Transferable electronic control unit for adaptively controlling the operation of a motor vehicle
US6009370A (en) Control unit for vehicle and total control system therefor
US5274817A (en) Method for executing subroutine calls
US5980081A (en) Control system having effective error detection capabilities
US4450528A (en) Method and apparatus for controlling the operation of an internal combustion engine
US5970251A (en) Process for optimizing program parts for motor vehicle controllers
US6067586A (en) Method for checking a first processor performing functions by a data word received and stored, and modified after performing a given function, and monitored by a second processor
US20050251308A1 (en) Method and device for controlling the functional unit of a motor vehicle
KR20020007370A (en) Method and device for monitoring a computing element in a motor vehicle
EP0973096A2 (en) Central processing unit monitoring system
JP2000112837A (en) Memory checking device and method therefor
JPH1136974A (en) Controller for vehicle
JPH11141391A (en) Controller for automobile
JP2599262B2 (en) Failure diagnosis device for electronic engine control device
JPH0742609A (en) Memory checker for vehicle controller
JP2002227662A (en) Electronic control device
JP2002303203A (en) Vehicle control device, and method for assembling the same
US20030037213A1 (en) Method for protecting a microcomputer system against manipulation of its program
JPH06149626A (en) Electronic controller
US6839622B2 (en) Vehicle control system
JP2004318672A (en) Processor
JPH0720935A (en) Abnormality detecting device
JPH09120368A (en) Cpu monitor device

Legal Events

Date Code Title Description
AS Assignment

Owner name: SIEMENS AKTIENGESELLSCHAFT, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ZIEGLER, HERBERT;MERL, RICHARD;JOUVENAL, HORST;AND OTHERS;REEL/FRAME:010929/0519

Effective date: 19980901

FPAY Fee payment

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 8

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20121205